Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16.

The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside.

While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers.

Following the data breach, Anthem offered breach victims 24 months of credit monitoring services without charge; however, many class members personally paid for credit monitoring and identity theft protection services and incurred other out-of-pocket expenses as a result of the breach. “The settlement provides the class with a timely, certain, and meaningful recovery,” said Judge Koh. If the settlement was rejected, not only would the litigation come at a considerable cost, there would be no guarantee that the litigation would succeed. If it did, it would still result in substantial delays in any payment being made to the class members to cover costs associated with the breach.

Some of the class members believe the settlement is insufficient and that it has not sufficiently punished Anthem, although U.S. District Judge Lucy H. Koh believes the settlement is “fair, reasonable, and adequate”. While several objections were received, Judge Koh determined that none of them were valid.

Under the settlement, Anthem has paid for two years of credit monitoring services. This is in addition to the credit monitoring services previously offered by Anthem. Class members who do not have credit monitoring services in place will be able to sign up by submitting a straightforward form. Class members who have already signed up for credit monitoring services can claim a cash payment as an alternative, provided they provide proof of their current credit monitoring services. The fund is sufficient to allow each class member who has submitted a claim to receive a maximum payment of $50 as a cash alternative.

The settlement also includes a fund of $15 million for individuals who have already incurred out-of-pocket expenses as a result of the data breach. So far, only around 1.33 million individuals have submitted a claim. The settlement allows claims of up to $10,000 per individual to reimburse out of pocket expenses.

Anthem has also agreed to implement additional security controls to ensure sensitive information is better protected in the future, including the use of encryption for data at rest and enhancements to its data security procedures.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.